The OWASP Java Project's goal is to enable Java and J2EE developers to build secure applications efficiently. See the [[OWASP Java Project Roadmap]] for more information on our plans.

+

The OWASP Java Project's goal is to enable Java and J2EE developers to build secure applications efficiently. See the [http://www.owasp.org/index.php/OWASP_Java_Project#tab=Roadmap OWASP Java Project Roadmap] for more information on our plans.

−

+

−

==Joining the Project==

+

−

+

−

Stephen de Vries and Rohyt Belani lead the project. We're currently building out the [[OWASP Java Project Roadmap]]. Please submit your ideas for where we should spend our efforts there.

+

−

If you'd like to contribute, visit the [[Tutorial]], join the [http://lists.owasp.org/mailman/listinfo/java-project mailing list] and pick a topic from the [[OWASP Java Project Roadmap]], or suggest a new topic.

+

==Java Security Overview==

==Java Security Overview==

−

While Java and J2EE contain many security technologies, it is not easy to produce an application without security vulnerabilities. Most application security [[:Category:Vulnerability|vulnerabilities]] apply to Java applications just like other environments. The notable exception is [[Buffer overflow|buffer overflow]] and related issues that do not apply to Java applications.

+

While Java and J2EE contain many security technologies, it is not easy to produce an application without security vulnerabilities. Most application security [[:Category:Vulnerability|vulnerabilities]] apply to Java applications just like other environments. The notable exception is [[Buffer Overflow|buffer overflow]] and related issues that do not apply to Java applications.

−

The goals of this project are to provide information about building, configuring, deploying, operating, and maintaining secure Java applications. We cover the following topics

+

There is a wealth of information about vulnerabilities that apply to Java and JavaEE application in the [[:Category:Vulnerability|Vulnerability]] articles here at OWASP. The articles that have specific Java examples are tagged with the [[:Category:Java|Java category]].

−

; [[J2EE Security for Architects]]

+

The goals of this project are to provide information about building, configuring, deploying, operating, and maintaining secure Java applications. We cover the following topics:

: This section covers dangerous Java calls and common vulnerabilities associated with them, such as Runtime.exec(), Statement.execute(), readline(), etc... The dangers of native code, dynamic code, and reflection will be discussed. We'll also talk about using tools like PMD, jlint, FindBugs, Eclipse, jad, and more. This section will also cover standard security mechanisms in the JDK, such as cryptography, logging, encryption, error handling. Securing elements of an application, such as servlets, JSPs, controllers, business logic, and persistence layers will be covered. We'll discuss handling request parameters, encoding, injection, and more. We'll also discuss the use of security mechanisms such as log4j, BouncyCastle, XML encryption, XML signature, and other technologies.

+

: These articles cover dangerous Java calls and common vulnerabilities associated with them, such as Runtime.exec(), Statement.execute(), readline(), etc... The dangers of native code, dynamic code, and reflection will be discussed. We'll also talk about using tools like PMD, jlint, FindBugs, Eclipse, jad, and more. This section will also cover standard security mechanisms in the JDK, such as cryptography, logging, encryption, error handling. Securing elements of an application, such as servlets, JSPs, controllers, business logic, and persistence layers will be covered. We'll discuss handling request parameters, encoding, injection, and more. We'll also discuss the use of security mechanisms such as log4j, BouncyCastle, XML encryption, XML signature, and other technologies.

: These articles cover the verification, analysis, and testing of the security of J2EE applications. This section will cover using tools to find vulnerabilities, both in source code and in running applications. These articles will focus on J2EE-specific aspects of testing applications that use various common J2EE frameworks and coding patterns.

:this document provides a quick high level reference for secure coding practices. It is technology agnostic and defines a set of general software security coding practices, in a checklist format, that can be integrated into the development lifecycle.

# and pick a topic from the [[OWASP Java Table of Contents]], or suggest a new topic.<br>

+

Remember to add the tag: <nowiki>[[Category:OWASP Java Project]]</nowiki> to the end of new articles so that they're properly categorised.

+

+

[[Category:OWASP_Project| Java Project ]]

+

[[Category:OWASP Document]]

+

[[Category:OWASP Download]]

+

[[Category:Language]]

Revision as of 08:50, 30 October 2012

Main

The OWASP Java Project's goal is to enable Java and J2EE developers to build secure applications efficiently. See the OWASP Java Project Roadmap for more information on our plans.

Java Security Overview

While Java and J2EE contain many security technologies, it is not easy to produce an application without security vulnerabilities. Most application security vulnerabilities apply to Java applications just like other environments. The notable exception is buffer overflow and related issues that do not apply to Java applications.

There is a wealth of information about vulnerabilities that apply to Java and JavaEE application in the Vulnerability articles here at OWASP. The articles that have specific Java examples are tagged with the Java category.

The goals of this project are to provide information about building, configuring, deploying, operating, and maintaining secure Java applications. We cover the following topics:

These articles cover dangerous Java calls and common vulnerabilities associated with them, such as Runtime.exec(), Statement.execute(), readline(), etc... The dangers of native code, dynamic code, and reflection will be discussed. We'll also talk about using tools like PMD, jlint, FindBugs, Eclipse, jad, and more. This section will also cover standard security mechanisms in the JDK, such as cryptography, logging, encryption, error handling. Securing elements of an application, such as servlets, JSPs, controllers, business logic, and persistence layers will be covered. We'll discuss handling request parameters, encoding, injection, and more. We'll also discuss the use of security mechanisms such as log4j, BouncyCastle, XML encryption, XML signature, and other technologies.

These articles cover the verification, analysis, and testing of the security of J2EE applications. This section will cover using tools to find vulnerabilities, both in source code and in running applications. These articles will focus on J2EE-specific aspects of testing applications that use various common J2EE frameworks and coding patterns.

this document provides a quick high level reference for secure coding practices. It is technology agnostic and defines a set of general software security coding practices, in a checklist format, that can be integrated into the development lifecycle.